The Silicon Dales Guide to GDPR: What does it mean for WordPress & Open Source?

This guide looks at the impact of the GDPR with special regard to website admins, owners and developers – primarily those using the WordPress and WooCommerce platforms, as well as those using Google’s G Suite.

Silicon Dales are accredited WooCommerce developers, as well as Google Partners reselling G Suite to business clients inside and outside of the European Union. While this content is primarily expected to be of interest to those in a similar position, it is likely that this explanation may well be of interest to webmasters, developers, web and PR agencies, business owners, as well as senior executives looking to come up to speed with GDPR, in the context of what this might mean for their web operations.

There is also some discussion of the wider WordPress and Open Source community and how the challenges of GDPR might be addressed within that context.

What is GDPR?

GDPR is the General Data Protection Regulations – a European Union law which became effective on 25th May 2018.

This regulation goes further than previous data protection rules by increasing the areas covered, the size of the fines and the threshold for informed consent.

GDPR applies to any corporate entity who stores and processes data from any citizen of the European Union (EU).

So, watch out United States, watch out Facebook & Google and bear in mind that “we use cookies to enhance your experience” is perhaps no longer going to cut the mustard.

What the experts say about the GDPR

Alan Calder, CEO at IT Governance, who literally “wrote the book” on information security told us:

“Organisations may consider the General Data Protection Regulation (GDPR) an administrative burden, but ignoring it or getting it wrong could be costly: organisations found to be in breach of the Regulation face administrative fines of up to 4% of their annual global turnover or €20 million – whichever is greater.”

Summary of the GDPR in Plain English

Don’t understand? That’s fine – the GDPR says this should be simple.

GDPR is an opt-in on everything where any personal data is collected.

Basically, think about people’s privacy before you do anything: design it into your systems, think about how you will secure it and whether or not you even need to collect personal data at all for the service or product in question.

Think about how long you need to even hold data; whether you can get rid of it later; and when you will destroy it.

Think about who has access to this data, and where it gets transferred in the world.

“ARTICLE 1: This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

Note that the regulations are concerned with the data of individual people, not companies.

Analogy

Silicon Dales’ Technical Director, Robin Scott, gives this analogy:

“Treat people’s personal data like you would treat their car. When a person lends us their data, it does not become our data. We are borrowing it. It remains their data. We must protect it.

“If you borrowed someone’s car, you wouldn’t leave it with the keys in it. You wouldn’t sell it – because it’s not your car. If you did crash a borrowed car, you’d tell the owner as well as the authorities, and attempt to fix the car or provide compensation.”

Video Overview of the GDPR

This video from the “3 Minutes” series gives you most of the basics on GDPR, as quickly as possible:

Seven Principles

There are seven main principles that the GDPR puts forward:

Consent

It must be easy to give and withdraw consent for use of personal data. It must be easy to understand. Each different use of personal data must receive consent separately.

Example – Consent

Businesses with website contact forms need permission to add contactee information to newsletters, CRM’s, ad re-targeting platforms and any use other than replying to the original message. It is also a good idea for the website owner to have a policy on deletion of messages after a given period.

What the experts say about consent under GDPR

“Under the GDPR, consent must be specific, informed and freely given and consent can also be withdrawn at any time – and the Regulation mandates that consent must be as easy to withdraw as it is to give.

“This applies unless organisations can prove that the processing is carried on legitimate interest, a contractual agreement with the individual such as goods or services suppliers that request to fulfil an obligation, or for a task or project in the public interest typically expected from government departments, public authorities, education and healthcare sector organisations.

“Often consent is the most appropriate basis and organisations need to be aware of their obligations, especially as the GDPR raises the standard for consent.”

Breach Notification

Affected people must be informed of any risk to their personal data within 72 hours of the processor being made aware of a breach. The controller must also notify the supervisory authority. [Article 33]

The only excuse to delay is if notification would hamper a law-enforcement investigation.

Example – Breach Notification

The type of delay in notifying compromised data subjects typified by Equifax is unlikely to pass muster in the future.

Right to Access

Data subjects have a right to information on how their personal data is being used and have a right to an electronic copy free of charge.

Example – Right to Access

The ICO recommends that larger firms do a cost-benefit analysis of providing access to personal data that has been processed via a website.

Video – Individual Rights

Here, Laura Monro from Fox Williams LLP gives a seminar on the changes to individual rights under GDPR:

Right to be Forgotten

When personal data is no longer needed for the purpose for which it was originally gathered for, data subjects can get the data controller to delete their personal data and cease its transmission.

Video – Right to be Forgotten

Data Portability

Data subjects have the right to access and re-use their personal data across different systems.

The GDPR expects all data processors to make data available into readily accessible and widely-used formats, so that data subjects aren’t locked-in to a platform by virtue of the way their personal data has been saved.

Example – Data Portability

In short, allow personal data to be imported and exported in common data formats – this may be interpreted to mean CSV, but perhaps not your own peculiar file extension, for example.

Video – Data Portability

This video from the European Commission likens your data to money in a bank. You should be free to take it elsewhere, no strings attached.

Privacy by Design

Data controllers should build systems which are designed to protect personal data from the outset, rather than as an after-thought or addendum.

Example – Privacy by Design

Think about tick-box permissions and privacy toggling before you build your next website.

Video – Privacy by Design

Good e-Learning provides a great introduction to the principle of Privacy by Design in this short video:

Data Protection Officers

Data controllers (with more than 250 employees, or who deal with large amounts of personal data) must appoint a Data Protection Officer to oversee their data handling processes.

Data Protection Officers will review business operations and plans to ensure they comply with the GDPR.

GDPR – Main Changes

As noted above, the main changes in the GDPR from previous rules within Europe are the penalties, the territorial scope and the bar for consent.

Territorial Scope

The whole world is covered by GDPR. The only limitation is whether the organisation concerned is selling goods or services to European Union citizens, regardless of whether those citizens are paying.

Penalties

The maximum fine is bigger: 4% of annual global turnover or €20 Million (whichever is greater).

Consent

Consent for use of personal data must be plain and clear, not buried in long and unintelligible Terms and Conditions pages.

Video – Key Changes in the GDPR

Silicon Dales Notes on the GDPR

Here we’ve pulled out some headlines which apply to most businesses operating in the WordPress and G Suite space, though you should take advice from an accredited person for more information specific to your business, such as permissions for children or the application of fines in Estonia!

We’ve kept the notes as brief as possible with annotations so you can read further if you’re interested.

Small businesses – don’t panic!

You should still take heed of the GDPR regulations, but the main aim of this Regulation is to hold big businesses accountable for the ways they use personal data.

“To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.” [Introductory Text Page 8]

All businesses and organisations are being encouraged to take a proportionate approach to managing the personal privacy rights of EU citizens.

Anonymised Data

So in general, your Google Analytics are fine (note you may need to turn certain features off) – but you should still have a privacy policy and a cookie policy which is explicit about what anonymised data you capture and be careful when managing identifiable information or profiling your website visitors.

Checkboxes and Internet Websites

The GDPR gets really specific about ways in which websites are expected to provide privacy controls, in this case: checking, or ticking, a box. There’s also a part about icons, later on.

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” [Introductory Text, page 18]

So, just to re-cap:

pre-ticked boxes are not ok

each purpose must be consented to separately

the process should be simple

the process should not be turned into a kind of punishment

each individual usage of personal data should be informed and consent given – not as a collection.

Can I pre-tick a consent box?

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent”

This is unambiguous. You can’t, shouldn’t, mustn’t pre-tick a consent box about data. Yes, this includes your newsletter signup box.

You can’t say “untick this box to agree that we can’t share your data with third parties”. That’s just confusing.

Make it clear, simple and be honest with your users. More this in the next section:

When processing Personal Data, be clear, simple and honest with your users. Think about whether you truly need the personal data in question in order to provide the product or service. Be upfront at the time you gather the personal data. Make it easy to give and withdraw consent. Think about how long your organisation will need to hold the information and consider a policy of deletion after a given time period.

“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.” [Article 5, Article 6, 1]

Here’s the kicker: periodic review. You should consider how much data your business really needs, for how long, and to submit those needs to regular review as well as appropriate security.

Example – Lawful and Fair

Businesses cannot hoard thousands of email address forever and ever and keep re-importing them from all different sources from the past. Yes, we’ve seen this done and it will be unequivocally unlawful by 25th May 2018.

What the experts say about GDPR Compliance

“Initiating a compliance project should be a priority on every organisation’s agenda ahead of May 2018. They can initiate a project by mapping their data sources, conducting a gap analysis, implementing processes and procedures in compliance with the Regulation’s requirements, delivering GDPR staff awareness training and in certain cases appointing a data protection officer. Although it’s not necessarily overly onerous, the project is likely to take months, so the time to act is now.

“Businesses that take advantage of the opportunity the GDPR presents and achieve compliance by May 2018 will not only avoid significant financial and reputational damage but will also find that data handling, information security and compliance processes are secure, robust and reliable. Organisations will be able to provide their clients, partners, investors and stakeholders with the assurance that data is processed in lawful, fair and transparent manner and ongoing GDPR compliance is a high priority.”

Personal Data Information Requests (Subject Access Requests)

The GDPR sets down some rules on how you should respond when EU citizens request information your organization holds upon them.

Must respond within a month – The controller must respond to a request within one month of the request having been made. [Article 12, 3]

Must be free (no payment) – The controller cannot charge an administration fee for complying with requests. [Article 12, 5]

It is therefore worth considering making personal data management an automated process, to minimize the impact of many requests, and to comply with the spirit of the law: treating personal data as though it belongs to the data subject, not the data controller.

Example – Information Requests (Subject Access Requests)

Put a Personal Data Information Request form in the My Account pages of your online shop, alongside the consent toggles.

Identity of the Controller – be open about who you are

We always advise being open with your identity and contact information – it’s in our Ethos. Put contact information on your website and email footer. If you are handling personal data, this will become more important.

“For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” [Article 13]

Don’t forget to provide contact information on microsites or other business brands.

Particularly Sensitive

“The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” [Introductory text page 31]

There are special rules for “particularly sensitive” data. If your business handles particularly sensitive Personal Data, you may be subject to additional obligations.

Easy to Understand

Icons for use on websites

Standardised icons for the management of consent to personal data use are encouraged by the GDPR:

“standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.” [Introductory Text page 36, Article 12, Point 7.]

Portability

Example – Portability

Gathering personal data is not a method of customer retention. You can’t, for example, offer a photo storage service which saves people’s family photos in a format which cannot be viewed or used anywhere else. Attempts to “lock-in” users by using obscure file formats will be viewed in a dim light under GDPR.

Direct Marketing

This section is relevant to abandoned cart programmes and newsletter systems:

“Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” [Introductory Text page 42, Article 21]

Liability

Take reasonable steps and consider the possibility of:

“discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage”. [Introductory Text page 46]

Assessment & Risk

Data controllers must perform an proportionate and objective assessment of the way personal data is handled in their organisation, and what steps are reasonable to safeguard that information. [Article 35 “Data protection impact assessment”]

Addressing GDPR across sectors, segments and common platforms:

This is where the argument for addressing GDPR within WordPress and WooCommerce core resides – in the provisions for conducting Data Impact Assessments across a larger project:

“There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.” [Para (92) Introductory Text, page 58]

Consent options built-in from the start

Across the whole GDPR, there are plenty of hints that common formats and standards for privacy consent toggling are a good thing and should be encouraged from the outset of a design or software project. For Open-Source projects that includes consideration from core contributors on how the GDPR can be dealt with on a community basis. The EU is trying to make Personal Data processing as transparent as possible and would like consent options built-in as far as possible.

Right to Compensation / Obligation to Compensate

Common issues for website operators

Below are some of the most common issues faced by website owners and operators we deal with on a day-to-day basis, especially where relevant to WordPress.

Mailchimp

A large number of WordPress website operators, owners and developers use Mailchimp to handle newsletters and other email functions. Here’s what Mailchimp told us about their GDPR compliance efforts:

“We prepared a white paper that outlines the compliance efforts MailChimp is undertaking and also includes some information for our users that is relevant to their own GDPR compliance. You can find the white paper at the following blog post:

https://mailchimp.com/resources/getting-ready-for-the-gdpr/

“Please know that we are assessing the provisions of the EU’s General Data Privacy Regulation with guidance from the Article 29 Working Party and various member state DPAs. MailChimp is working with experts in this area, and intend to be compliant with the GDPR within the requirements of the provision.

“One example of the steps we’ve taken is updating our DPA to incorporate provisions to address (among other things) Article 46. You may find our DPA here where you can fully execute the agreement online. From that page you may also view and download a sample for review. To fully execute the agreement, go back to the main page and complete the necessary fields.

“Additionally, MailChimp adheres to the Privacy Shield Principles. We are EU-U.S. and Swiss-U.S. Privacy Shield certified through 2018 and listed on the US Department of Commerce Privacy Shield website as The Rocket Science Group LLC d/b/a MailChimp.

“MailChimp is currently in the process of assessing and developing new, GDPR-friendly tools and features for our users, many of which are aimed at helping our users comply (or more easily comply) with requests from individual data subjects pursuant to their new rights under the GDPR. As these features are still in the research and development phases, we do not have any details to share with you as of today. But, please know that we are actively pursuing enhancements to our platform that will help our users with requests like these from data subjects, so please keep an eye on new release information from MailChimp over the coming months.”

WooCommerce Ramifications

Tracking of WooCommerce Stores

It is possible to opt-out of your store’s usage of WooCommerce being tracked by WooCommerce by going to WooCommerce > Status > Tools and then select Reset under Reset Usage Tracking.

What does the GDPR mean for abandoned carts?

A strict interpretation of GDPR could indicate that some abandoned cart practices are a breach of the requirement for “consent” to using personal data. In short, if consent to using data is granted – during checkout – by a consumer completing checkout, then consent is surely not given when someone abandons checkout half way through.

The key thing, here, is consent to use the data must have been – unambiguously – granted at the start of the customer journey.

So, if you don’t want to fall foul of GDPR, box number one needs to be an affirmative “yes you can use my data, including if I do not complete checkout” if you want to put cart abandonment email capture into your checkout process, for EU citizens.

In this regard, you might even put some consent in the site, which is geo-targeted to EU citizens, or make the consent display after customers select a country within the EU – and therefore make the country selection an early stage part, pre-consent, and pre “cart abandon” data collection. This would appear to be a Good Idea.

Silently collecting the email addresses of EU citizens from checkouts will not be a GDPR compliant activity.

And no, it’s probably not a good idea to just popup a nag screen and say “see our privacy policy” – in fact this practice is specifically precluded in the GDPR regulations. You actually have to say what you will use data for, and how, at the time. You need to say “we will collect your partially completed checkout data and use this to [whatever you plan on doing] – do you agree to this usage?” – and store the response against this user.

What does GDPR mean for third party shipping handlers?

You will need to check up on your third party shipping handlers to ensure they comply with the GDPR and ensure your customers know how their personal data is going to be used and by whom.

What does GDPR mean for My Account pages?

My Account pages are a great place to allow users to self-manage their personal data.

This will most likely include a Privacy Settings page or tab with standardised toggle icons to allow the giving and withdrawal of consent to use Personal Data.

Another potential response to GDPR may be to include a “Delete My Account” button and / or a form to allow for a Personal Data information request.

Following the spirit of the GDPR, it would be best for these updates to be addressed within core, but individual site owners can also achieve these changes with plugins and custom code.

The Impact of Brexit

Model Contracts

Robert Bond from Bristows LLP explains how the relationship between the UK and EU will change under GDPR after Brexit:

“GDPR will come into force well before the UK leaves the EU and the new Data Protection Act 2018 reflects GDPR. We will therefore be on a level footing with the rest of the EU before and after Brexit.

“However unless UK negotiates an “adequacy” status as part of Brexit, we will not be in the EU and as such UK businesses may have more hoops to jump through when processing EU citizens’ personal data.”

Choosing a Lead Supervisory Authority

From 19th March 2019, the ICO will no longer be the Lead Supervisory Authority for personal data processing in the UK as far as GDPR rules are concerned.

UK companies with existing “hubs” on the continent will be expected to use most appropriate local LSA if a data breach occurs.

There is some leeway in the legislation, expertly explored here by Deirdre Kilroy, for companies which are wholly based in the UK for data processing and HQ purposes. These companies may decide to go “jurisdiction shopping”, though in practice, most will use Ireland’s Data Protection Commission (Coimisiún Cosanta Sonraí), for the familiarity of the legal setup and ability to access services in the English language.

Accredited DPO’s

Need an accredited DPO to check over your business or service? Need to formulate a GDPR strategy? Take a look at our list of accredited DPO’s below:

The ICO guidance also specifically discourages the use of consent (& therefore a checkbox) if consent would be a pre-condition of service (which it would be for e.g. a contact form).

What IS important is to ensure the user is informed – e.g. adding a statement to the form which says something like ‘Your data will be processed and stored in line as outlined in our Privacy Information Notice [link]’.

Would be interested to have your thoughts on this – will add this comment to the Codeable post too.

“The ICO guidance also specifically discourages the use of consent (& therefore a checkbox) if consent would be a pre-condition of service (which it would be for e.g. a contact form).”

In my opinion, this is not quite the scenario that the ICO is getting at here. Pre-condition of service does not mean “contact form won’t submit without consent” – the service is not the submission of the contact form… its whatever you actually sell. If you don’t consent to your personal data being sent through, at all, then the checkbox is very valid for a contact form. What you cannot do, for example, is make a newsletter signup element on the contact form to be a compulsory yes. i.e. the form will ONLY submit if user signs up to the newsletter part (and this DOES happen!).

Its up to the individual company or business whether or not they feel form A needs a specific consent, and this will likely depend on what they will do with private data, but if its something that users would want to withdraw consent for later (like being on a newsletter list, for example) then specific consent should be requested.

So in this case, if you are “doing anything” with contact forms which you think people need to be asked about, then ask, but don’t make this request a condition for submission of the form. Unless that is the only purpose of the form itself, which should be self-evident (for example, a newsletter signup form).

Quite likely the “normal” contact form, for “get a quote” may not need specific consent – but it depends on what is happening with that data. If its replied to, then destroyed, its probably okay. If it is going to be stored and marketing sent in the future. Probably not okay.

Consent is required for each specific usage of data. A get a quote form if this is all the data is used for, it probably not going to land you in hot water.